A couple of weeks ago, on this same blog, we announced the first release of the Community Edition of our hybrid web application security scanner. Today we are making available an update for Syhunt Community that includes tweaks for Windows 10 compatibility, some bug fixes and experience improvements. Here is what is new in today's update:

- This release gives easier access to the options of scan tasks through a new menu, letting you suspend/resume a scan, view vulnerabilities, generate reports and more straight from the tasks tab:

- Tested and tweaked for Windows 10 compatibility.

- Added the ability to emulate the Microsoft Edge web browser during dynamic scans (although IE will remain for some time as the default emulation mode).- Fixed a minor issue with the setup application (causing an elevation warning message after setup under newer Windows versions).

- Fixed a session directory creation issue when trying to code scan a directory with no valid source code files.

Syhunt Community Edition runs under any modern Windows version from XP through 10, and can be downloaded at the link below. Feel free to try it and share your feedback and suggestions.

Today we made available the Community Edition for our hybrid application security scanner. This is the first release of a free edition of our flagship product Syhunt Hybrid, which now can be used at no charge by the community.

It can help security auditors, security professionals, developers and hackers to start improving the security of web applications and websites right away, helping evaluate the coding practices currently in place within an organization or a group.

With this version you are now able to scan and detect the following vulnerabilities, including commonly exploited coding mistakes, through both dynamic and source code analysis:

Cross-Site Scripting (XSS)

SQL Injection (for MySQL and Oracle powered web applications)

Unvalidated Redirects

Directory Listing

Directory Traversal

Information Disclosure

Old/Backup Files (Common Backup Files & Folders)

Path Disclosure

Source Code Disclosure

Syhunt Community Edition runs under any modern Windows version and can be downloaded at the link below. Feel free to try it and share your feedback and suggestions.

This paper intends to highlight the risk of unvalidated input in Lua-based web applications.

Some time ago I wrote about how to detect NoSQL and server-side JavaScript (SSJS) injection vulnerabilities using time-based techniques. JavaScript is still rising and becoming more popular as a platform for server-side code. This time I want to cover security aspects of another language/framework that is being increasingly adopted for web development and that has a lot of potential: Lua.

Lua is a powerful language useful for experienced programmers but considered easy for inexperienced programmers at the same time. While Lua has been mostly used for game development, there is a growing ecosystem of Lua web applications and frameworks. Mature web servers, like Apache & Nginx, are the prefered choice for many that are creating or thinking about creating their first Lua-based web applications - together they account for over 70% of the world's web servers and are solid choices to start. Alternative and pioneer Lua web programming tools like CGILua have been around for a while. CGILua runs on top of Apache or any CGI-enabled web server.

At Syhunt, we've been using Lua for quite some time as part of our web application security tools and a primary scripting language, and recently we started using internally the Lua modules for the Apache and Nginx web servers, known as mod_lua and ngx_lua respectively. I decided to check myself how insecurely coded Lua web applications could be targeted and how easily the servers in question could be compromised. To perform the tests, I created a small collection of insecure web applications with input validations issues tailored to each web server software.